COMMAND
Tumbleweed Worldsecure (MMS)
SYSTEMS AFFECTED
Tumbleweed Messaging Management System (MMS) (Formerly Worldtalk Worldsecure) Version: 4.3 - 4.5 (all builds)
PROBLEM
'NT HATER ' recently discovered the following vulnerability.
Product uses Microsoft's MSDE (Database engine) which is a
stripped down version of the Microsoft SQL server 7.0. During
the setup stage, you are never asked for the 'sa' account password
which may led us to think that application is either generating
a random password every time it installs or the password is the
same for all installations. Well, after further research it was
discovered that the password is left BLANK!!! This is a huge
remotely exploitable vulnerability. After someone remotely
connects to the database (with 'sa' account and NO PASSWORD) he is
able to delete the databases (denial of service, product becomes
unusable) and modify the data (customer certificates,
configuration of the product, logs, etc.).
SOLUTION
So long as the installation instructions have you change the
password prior to putting the machine in to production, it is not
to blame this on either Microsoft or Tumbleweed. After all, even
Oracle Enterprise (as well as all other Oracle's) gives the sys
and system users well-known passwords at install time. It is up
to a competent administrator to change those passwords or else
risk the inevitable.
Tumbleweed has known about this for a while now, but has made no
public announcement. The 'workaround' the proposed was to assign
an 'sa' password, but that seems to break the product.
For official response, see:
http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-official.htm